@Brian Hay’s interview with @JohnDimitropoulos. Brian is a real Cyber crime fighter!
We had the pleasure of interviewing Brian as he is one of many great officers in the Australian police force who are defending us from real cyber criminals.
Brian is considered a thought leader in Cyber Security. Brian had a decorated career with the Queensland Police Force where he served as Commander of the Fraud & Cyber Crime Group and later as the public as Detective Superintendent for cybercrime. Brian was the Chair of the Australia New Zealand Police Advisory Agency’s eCrime Working Group, he is member of the Federal Attorney-General’s National Cybercrime Working Group and he currently advices boards and execs on cyber security matters. In 2009 Brian was the recipient of an international award from McAfee for efforts in combating cybercrime – “The International Award for Cyber Crime Fighter of the Year”. Brian is also the recipient of the Australian Police Medal, and in 2010 he was the recipient of the National AusCERT Award for Individual Excellence in Information Security.
At Liberty, we love staying close to the most important and interesting technology matters. We usually discuss key topics that we believe Banking and Finance executives and Technology industry members care and are interested in. This segment’s focus was on #CyberSecurity, which should be top of mind for governments, corporations and individuals.
So, Brian, I’d like to bring to our audience’s attention this graph here from McKinsey, it’s actually from 2021, where they predicted that by 2025, $10.5 trillion will be spent on cyber security. Of course, that is to defend and protect ourselves from cyber security. It is to deal with recovery if there is a breach. And of course, any penalties or any consequences that come from a potential breach. The other interesting… statistic from this McKinsey graph is that there are three and a half million, as of 18 months ago, three and a half million, vacancies in the cybersecurity space worldwide. It’s very interesting. Do you believe, Brian, that organisations and governments place enough emphasis on cybersecurity? Is it top of mind? Is it a top priority for them? And if so, do you believe that they invest adequately in cybersecurity?
Yeah, you raise a couple of great issues with that question, and you break it down into a number of parts. Everyone is aware of cyber security as an issue but do the organizations and the governments fully understand the complexities associated with that issue and my answer and response to that is no. And I’ll take an example of recent federal the new Minister for Cyber the federal government and no criticism. I think uhm she’s very much out there trying to put cyber into position, but the concept that we’re going to just go and arrest these criminals overseas and bring them back and hold them to account as part of our defence strategy is horribly flawed and reflects a mindset that perhaps she doesn’t know the challenge that she’s put ahead of herself. And how effective would that be? You know, in my law enforcement days, it was all about prevention. So enabling, getting communications out to the public, giving them awareness of what the local and national international threats were so they could better position themselves to prevent the crime from occurring. My position was that if we’ve got to investigate an incident, it means we’ve already lost because we already have victims. And if I asked you how many cyber criminals have been extradited back to Australia to be held to account for their crimes in the last 20 years, what would your answer be?
I really don’t know.
Zero. None. So why is it we’ve got this mindset, let’s go catch the crooks, we’ve got victims to deal with. Well, isn’t it better to actually prevent the crime from occurring? And the Minister made some great, one great statement which I absolutely loved, I’ve used it many times myself on stages in the last decade, is if we could make this country twice as resilient than it is today, over the next 12 months, 3 years. We would actually see the crooks’ focus on other countries. You know, take out the… Most cybercrime is driven by organized crime. Take out the nation’s sponsored actor. Their motivation is completely different. So, our biggest threat is organized crime, the purpose of organized crime make as much money as possible. So if they had to put in twice the effort to make the same volume of money out of Australian citizens, well, they’re gonna put that effort somewhere else because they can make twice as much money because that’s what their game is. Their game is all about profit. Okay, so… you know, building resilience is key. But one of the great challenges we have, and I’ve spoken to many boards and different organizations around this country and even overseas is that I’m not fully convinced that we still fully understand the threat. And if we don’t understand the threat, how can we possibly manage the risk? And so, we’re in this evolutionary gap. We’re trying to catch up and understand what that threat landscape is. And we’ve grown up with a diet pretty much over the last 20 years that says it’s been led by the marketing teams of vendors. And the idea is buy this technology and you’re gonna be safe. Well, how’s that working for us? And the other one that I always laugh at is the idea of we can technologize the human out of the equation. Yeah, well, how’s that working for us? It’s not going real flash, is it? The essence is, how do we enable this great nation through its people to build cyber resilience? And that’s not the conversation I’m hearing. Okay, so I’m not sure I’ve answered your question. Do they place enough emphasis? There is an emphasis. Are they investing adequately? I suggest not because they’re investing only in the technology side of the equation. If you look at the World Economic Forum report of 2022 towards the end of last year, it came out and it cited that up to 95% of all cyber incidents are actually caused by human failure, not a technology failure. And we see that in the data from the Federal Privacy Commissioner’s office as well. So people think by investing in the right technologies, and don’t get me wrong, we need the right technologies. We absolutely do. They think that’s the be all and end all. I think if we invest in the right technologies, we’re managing this risk. Absolutely not. How can you be doing so when? 95% of your risk rests with your people and the sad part is again as a nation when we look to Canberra for guidance on how we manage this cyber security challenge.
And I’m about to say something that could be controversial. I don’t want to offend any of the men and women working in ACSC and in Canberra at all. But the focus, if you look at it, is around the essential eight. Okay? And that’s a great thing. You go back historically, it was the ASD’s top four, from the top four of the 35, then 36 risk mitigation strategies. That’s all terrific, John, but all of those strategies actually are focused on technology. Not one is focused on building human resilience and building people and culture within the organization. Now, if that’s 95% of your risk, aren’t we failing as a nation by not addressing it? Yeah, absolutely.
Absolutely. Thanks for that Brian.